Dive Brief:
- The Department of Justice on Wednesday announced an operation to disrupt the state-backed Russian botnet called Cyclops Blink, which was used by the threat actor known as Sandworm to infect thousands of devices worldwide.
- The court-ordered operation copied and removed malware from vulnerable firewall appliances used by Sandworm for command and control of the botnet. U.K. and U.S. government authorities issued warnings about Cyclops Blink in February, as the malware was infecting WatchGuard firewall appliances and Asus routers.
- "The Russian government has recently used similar infrastructure to attack Ukrainian targets," Attorney General Merrick Garland said at a press conference Wednesday. "Fortunately we were able to disrupt this botnet before it could be used."
Dive Insight:
Russia-linked threat actors have unleashed more than a half dozen data wiping malwares since late January, as Russia was building up troops on Ukraine's borders.
U.K. and U.S. authorities warned in late February about Cyclops Blink, which is a more destructive version of the VPNFilter malware that was discovered around 2018 and used SOHO routers and network storage devices to launch attacks.
U.S. authorities previously linked Sandworm to the Russian Main Intelligence Directorate, or GRU. The threat actor is considered one of the most prolific in Russia’s arsenal of state-backed operations.
"Sandworm is the premier Russian cyberattack capability and one of the actors we have been most concerned about in light of the invasion," John Hultquist, VP of intelligence analysis at Mandiant said in a statement. "We are concerned that they could be used to hit targets in Ukraine, but we are also concerned they may hit targets in the West in retribution for the pressure being placed on Russia."
WatchGuard officials worked closely with the FBI, DOJ, the Cybersecurity and Infrastructure Security Agency as well as the National Cyber Security Centre in the U.K. to help mitigate the impact of Cyclops Blink and warn customers about how to protect their systems.
The FBI has worked with Internet Service Providers to contact WatchGuard customers who may have been unknowingly using infected devices.
"WatchGuard played an important role eliminating the threat posed by Cyclops Blink, with the rapid release of detection and remediation tools to protect its partners and customers following the government disclosure of the malware, and by cooperating with the [DOJ] in its effort to disrupt the botnet," a spokesman for WatchGuard said in an emailed statement.
The botnet impacted less than 1% of WatchGuard appliances, the spokesperson said. The company credited close work with partner organizations and customers to mitigate the threat.
Federal officials are still urging anyone who may have an infected device to contact an FBI field office.